lukethompson
asked on
Closing the RPC Port 135 whilst running IIS
I am working on securing W2k server setup, and am running IIS 5.
I have closed off most of the open ports on the system by shutting down unnecessary services (the box is purely an HTTP server).
However, there is one set of ports I cannot shut off - the RPC port 135, and it's associated 1027 and 3456 ports. I have read some documentation that informs me, unhelpfully, that you can close the RPC ports by removing the following registry keys:
HKLM\Software\Microsoft\RP
HKLM\Software\Microsoft\RP
HKLM\Software\Microsoft\RP
However, this will not shut down the RPC port if you are running IIS.
I would like to have a W2k setup that had purely tcp/80 and tcp/443 ports open, which in point of fact is all that I need.
I have closed off most of the open ports on the system by shutting down unnecessary services (the box is purely an HTTP server).
However, there is one set of ports I cannot shut off - the RPC port 135, and it's associated 1027 and 3456 ports. I have read some documentation that informs me, unhelpfully, that you can close the RPC ports by removing the following registry keys:
HKLM\Software\Microsoft\RP
HKLM\Software\Microsoft\RP
HKLM\Software\Microsoft\RP
However, this will not shut down the RPC port if you are running IIS.
I would like to have a W2k setup that had purely tcp/80 and tcp/443 ports open, which in point of fact is all that I need.
ASKER
I have done this already, and the firewall is also blocking these ports, however I don't like being out of control of what ports the machine has open.
What I am aiming for is to do a "netstat -an", and see:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
The only ports that should be accessible are HTTP and SSL ports for the web server.
What I am aiming for is to do a "netstat -an", and see:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
The only ports that should be accessible are HTTP and SSL ports for the web server.
I see. Go to http://www.foundstone.com and get yourself the fport utility. I's kind of a netstat, but also shows which application opened a specific port. This may help you.
ASKER
Thanks I'll check this out.
Take a look at the RPC Service properties and click on the Dependences tab, and you see too many components are bound to this RPC.
It's almost impossible to shutdown the the RPC service unless you don't run anything at all.
And, like it or not, that's what it takes to be an IIS, instead of a generic HTTPd.
It's almost impossible to shutdown the the RPC service unless you don't run anything at all.
And, like it or not, that's what it takes to be an IIS, instead of a generic HTTPd.
ASKER
I checked out the port mapping software (now called Vision) from FoundStone, but found it not too helpful. It told me that:
"inetinfo" was listening on ports:
tcp/25, tcp/80, tcp/443, tcp/1025, udp/1026, udp/3456
"svchost" (the Remote Procedure Call (RPC) service uses svchost) was listening on ports:
tcp/135 and udp/135
"system" was listening on:
tcp/1027 (for some God forsaken reason)
It seems that the w3svc when it starts not only opens 80 and 443, but 3456 as well.
The SMTP service only seems to use 25.
The IISAdmin service opens 1025 and 1026 (these ports are randomly assigned by the RPC port mapper within a range of ports).
I would dearly love to understand the reasons for this behaviour, and be able to control it. It seems to me unreasonable that there wouldn't be some way to do this, as it represents to me a large security hole in unprotected environments, and I hate black boxes.
"inetinfo" was listening on ports:
tcp/25, tcp/80, tcp/443, tcp/1025, udp/1026, udp/3456
"svchost" (the Remote Procedure Call (RPC) service uses svchost) was listening on ports:
tcp/135 and udp/135
"system" was listening on:
tcp/1027 (for some God forsaken reason)
It seems that the w3svc when it starts not only opens 80 and 443, but 3456 as well.
The SMTP service only seems to use 25.
The IISAdmin service opens 1025 and 1026 (these ports are randomly assigned by the RPC port mapper within a range of ports).
I would dearly love to understand the reasons for this behaviour, and be able to control it. It seems to me unreasonable that there wouldn't be some way to do this, as it represents to me a large security hole in unprotected environments, and I hate black boxes.
ASKER
P.s. I have looked at the RPC service dependencies, and did try disabling it too. If you do disable it, you will have a small problem, in that the Services control panel uses RPC itself, and you won't be able to start the service again after a reboot, because the control panel no longer functions.
You can get yourself out of this by editing the reg key:
HKLM\System\CurrentControl
Disabling RPC does make your box nice and secure, but as you say, a little useless too. I don't mind the fact that the thing has to run, I just don't want it sitting there waiting to be attacked on open ports.
As I mentioned in the original question, RPC doesn't actually have to listen on those ports unless IIS is running, you can make a couple of reg edits to turn it off. What I am after is how to control IIS's behaviour to allow these ports to be closed.
You can get yourself out of this by editing the reg key:
HKLM\System\CurrentControl
Disabling RPC does make your box nice and secure, but as you say, a little useless too. I don't mind the fact that the thing has to run, I just don't want it sitting there waiting to be attacked on open ports.
As I mentioned in the original question, RPC doesn't actually have to listen on those ports unless IIS is running, you can make a couple of reg edits to turn it off. What I am after is how to control IIS's behaviour to allow these ports to be closed.
I think that's just the way MS products are made: versatilty vs. control (and because of the missing control ability also security). I think the wya to go is to accept that you cannot exactly foretell which ports will be opened and thus close the ports (as mentionned and done by you) explicitly at another level.
ASKER
I think I now know why the services open these ports. I will prove it this morning, but I think that they use the RPC ports to allow remote administration of the web services, using the IIS admin MMC snap-in from another machine.
I thought I had it yesterday when I found this registry key:
HKLM\System\Services\SvcNA
This reg key is described as enabling / disabling the ability to remotely 'locate' the running service.
I did some packet sniffing, and it seems as though the IIS snap-in does use RPC to remotely administer and configure web services on another PC. I suppose that's why the IISAdmin service starts up two RPC ports - one for SMTPSVC, one for W3SVC, to allow the actual services themselves to be started or stopped using the remote admin tool.
If I can find out how to turn off remote admin for IIS, I think the ports will also be able to be closed.
I thought I had it yesterday when I found this registry key:
HKLM\System\Services\SvcNA
This reg key is described as enabling / disabling the ability to remotely 'locate' the running service.
I did some packet sniffing, and it seems as though the IIS snap-in does use RPC to remotely administer and configure web services on another PC. I suppose that's why the IISAdmin service starts up two RPC ports - one for SMTPSVC, one for W3SVC, to allow the actual services themselves to be started or stopped using the remote admin tool.
If I can find out how to turn off remote admin for IIS, I think the ports will also be able to be closed.
ASKER
I think I now know why the services open these ports. I will prove it this morning, but I think that they use the RPC ports to allow remote administration of the web services, using the IIS admin MMC snap-in from another machine.
I thought I had it yesterday when I found this registry key:
HKLM\System\Services\SvcNA
This reg key is described as enabling / disabling the ability to remotely 'locate' the running service.
I did some packet sniffing, and it seems as though the IIS snap-in does use RPC to remotely administer and configure web services on another PC. I suppose that's why the IISAdmin service starts up two RPC ports - one for SMTPSVC, one for W3SVC, to allow the actual services themselves to be started or stopped using the remote admin tool.
If I can find out how to turn off remote admin for IIS, I think the ports will also be able to be closed.
I thought I had it yesterday when I found this registry key:
HKLM\System\Services\SvcNA
This reg key is described as enabling / disabling the ability to remotely 'locate' the running service.
I did some packet sniffing, and it seems as though the IIS snap-in does use RPC to remotely administer and configure web services on another PC. I suppose that's why the IISAdmin service starts up two RPC ports - one for SMTPSVC, one for W3SVC, to allow the actual services themselves to be started or stopped using the remote admin tool.
If I can find out how to turn off remote admin for IIS, I think the ports will also be able to be closed.
Dear questionner/expert(s)
No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:
- PAQ'd and pts refunded
Please leave any comments here within the next seven days.
==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==
PaSHa
Cleanup volunteer
No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:
- PAQ'd and pts refunded
Please leave any comments here within the next seven days.
==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==
PaSHa
Cleanup volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This allows you to close ports, even if some application is listening. I think this is better than "killing" services which may be important to properly run IIS (or other OS components).